LDAP groups in Active Directory/E-diectory to decide on access permission for RDP sessions

Hi there,

I want to assign groups inside PAM for users goups. So that only members of that can only receive permission to access RDP. 

But i dont know what regular expression I have to write there.

I did got this link but i couldnt make out make out the DN. Can anybody can write it down for me.

For both AD and eDirectory 

community.microfocus.com/.../1773821 Control Rule for LDAP Group Matching in Active Directory

Parents
  • I happen to think that is a helpful feature, just poorly integrated.

    The idea is, you need to define a Regular Expression that will match a Group uniquely in your directory.

    The Regex should be the same for eDIR and AD in theory, just the actual versions will be different.

    The approproate page in the docs is here:

    https://www.netiq.com/documentation/privileged-account-manager-37/npam_admin/data/brxvkf6.html

    The syntax is:

    %:=~/^[Cc][Nn]=G*/

    This breaks down as %:=~ and then inside the / and / you need a regular expresion.

    The example above mean ^, the value starts with, the either C or c, then either N or n (I.e. could be CN or cn) then an equal sign, then an object starting with G and then * which means any number of charaters.

     

    So if you know you have a uniquely named group you could do:

    %:=~/^[Cc][Nn]=GroupName*/

    If you have a specific container, you coudl in theory expand it to something like:

    %:=~/^[Cc][Nn]=Groupname,[Oo][Uu]=GroupOU*/ and so on to make it more specific.

    Like I said, it is a good feature, just a kind awkward implementation.

     

Reply
  • I happen to think that is a helpful feature, just poorly integrated.

    The idea is, you need to define a Regular Expression that will match a Group uniquely in your directory.

    The Regex should be the same for eDIR and AD in theory, just the actual versions will be different.

    The approproate page in the docs is here:

    https://www.netiq.com/documentation/privileged-account-manager-37/npam_admin/data/brxvkf6.html

    The syntax is:

    %:=~/^[Cc][Nn]=G*/

    This breaks down as %:=~ and then inside the / and / you need a regular expresion.

    The example above mean ^, the value starts with, the either C or c, then either N or n (I.e. could be CN or cn) then an equal sign, then an object starting with G and then * which means any number of charaters.

     

    So if you know you have a uniquely named group you could do:

    %:=~/^[Cc][Nn]=GroupName*/

    If you have a specific container, you coudl in theory expand it to something like:

    %:=~/^[Cc][Nn]=Groupname,[Oo][Uu]=GroupOU*/ and so on to make it more specific.

    Like I said, it is a good feature, just a kind awkward implementation.

     

Children
  • Verified Answer

    There will be a very much improved and streamlined approach for managing user groups in the new and improved Command Control Console that is planned for a future release. So this should help a lot I think, so keep an eye out for that.

    Another helpful bit of info is that by default the field here is case-sensitive, but you could pass a case-insensitive flag ( ) with the regex if you'd prefer to have it that way.. For example:

    %:=~/^[Cc][Nn]=RDP-Allow*/
    %:=~/^cn=rdp-allow*/i

    Both should match for the same group, while one is a bit more "greedy" and may catch more groups than you anticipate, so sometimes it's better to make it match strictly, but can be helpful when trying to implement it for the first time.

    You could also provide the full FDN context of the group as well if desired, here are some examples, the more you include, the more specific or strict the match will be (most strict going down to least):

    %:=~/^CN=RDP-Allow,CN=Users,DC=domain,DC=com/
    %:=~/^CN=RDP-Allow,CN=Users*/
    %:=~/^[Cc][Nn]=RDP-Allow,CN=Users*/
    %:=~/^cn=rdp-allow,cn=users*/i